Silver Peak SD-WAN Solution Guide

The following sections describe how you use Silver Peak EdgeConnect with Prisma Access to provide next-generation security on internet-bound traffic:
If you have any issues after you complete these tasks, Troubleshoot the Silver Peak Remote Network.

Supported Software Versions and Requirements

The Silver Peak-Prisma Access solution is qualified with the following Silver Peak software versions:
  • 8.1.9.0

Supported IKE and IPSec Cryptographic Profiles

You onboard your SD-WAN edge devices using a remote network connection between the edge device at the branch site, HQ, or hub to Prisma Access. Use Panorama to create a remote network connection and create IKE and IPSec crypto profiles; then, set up an IPSec tunnel between the SD-WAN edge device and Prisma Access, using the same crypto profiles you used in Panorama.
The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and Silver Peak SD-WAN. A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it is not supported. Default and Recommended settings are noted in the table.
Crypto Profiles
Prisma Access
Silver Peak EdgeConnect
Tunnel Type
IPSec Tunnel
GRE Tunnel
Routing
Static Routes
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
IKE Versions
IKE v1
IKE v2
IPSec Phase 1 DH-Group
Group 1
Group 2
(Default)
Group 5
Group 14
(Recommended)
Group 19
Group 20
(Recommended)
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
MD5
SHA1
(Default)
(Recommended)
SHA256
SHA384
SHA512
(Recommended)
IPSec Phase 1 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
(Recommended)
(Recommended)
IPSec Phase 1 Key Lifetime Default
(8 Hours)
(8 Hours Recommended)
IPSec Phase 1 Peer Authentication
Pre-Shared Key
Pre-Shared Key
Certificate
IKE Peer Identification
FQDN
IP Address
User FQDN
IKE Peer
As Static Peer
As Dynamic Peer
Options
NAT Traversal
Passive Mode
Ability to Negotiate Tunnel
Per Subnet Pair
Per Pair of Hosts
Per Gateway Pair
IPSec Phase 2 DH-Group
Group 1
Group 2
(Default)
Group 5
Group 14
(Recommended)
Group 19
Group 20
(Recommended)
No PFS
IPSec Phase 2 Auth
MD5
SHA1
(Default)
SHA256
(Recommended)
SHA384
SHA512
(Recommended)
None
IPSec Phase 2 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
(Recommended)
AES-128-CCM
AES-128-GCM
AES-256-GCM
(Recommended)
NULL
IPSec Protocol
ESP
AH
IPSec Phase 2 Key Lifetime Default
(1 Hour)
(Recommended 1 Hour
Lifebytes also supported
Tunnel Monitoring Fallback
Dead Peer Detection (DPD)
ICMP
(HTTP GET also supported)
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture Type
With Regional Hub/Gateway/Data Center
N/A
No Regional Hub/Gateway/Data Center
NA

SD-WAN Deployment Architectures Supported by Silver Peak

Silver Peak supports the following deployment architectures for use with Prisma Access. A — indicates that the deployment is not supported.
Use Case
Architecture
Supported?
Securing traffic from each branch site with 1 WAN link (Type 1)
Use an IPSec tunnel from each branch to Prisma Access. Use a Silver Peak EdgeConnect device at the branch.
Yes
Securing branch and HQ sites with active/backup SD-WAN connections
Yes
Securing branch and HQ sites with active/active SD-WAN connections
Yes
Securing branch and HQ sites with SD-WAN edge devices in HA mode
Yes
Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2)
Yes

Recommended For You